Misbinding Raw Public Keys to Identities in TLS

Mariam Moustafa; Mohit Sethi; Tuomas Aura

doi:10.1007/978-3-031-79007-2_4

Misbinding Raw Public Keys to Identities in TLS

Mariam Moustafa^*, Mohit Sethi, Tuomas Aura

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference article in proceedings › Scientific › peer-review

Abstract

The adoption of security protocols such as Transport Layer Security (TLS) has significantly improved the state of traffic encryption and integrity protection on the Internet. Despite rigorous analysis, vulnerabilities continue to emerge, sometimes due to fundamental flaws in the protocol specification. This paper examines the security of TLS when using Raw Public Key (RPK) authentication. This mode has not been as extensively studied as X.509 certificates and Pre-Shared Keys (PSK). We develop a formal model of TLS RPK using applied pi calculus and the ProVerif verification tool, revealing that the RPK mode is susceptible to identity misbinding attacks. Our contributions include formal models of TLS RPK with several mechanisms for binding the endpoint identity to its public key, verification results, practical scenarios demonstrating the misbinding attack, and recommendations for mitigating such vulnerabilities. These findings highlight the need for improved security measures in TLS RPK.

Original language	English
Title of host publication	Secure IT Systems - 29th Nordic Conference, NordSec 2024, Proceedings
Editors	Leonardo Horn Iwaya, Liina Kamm, Leonardo Martucci, Tobias Pulls
Publisher	Springer
Pages	62-79
Number of pages	18
ISBN (Electronic)	978-3-031-79007-2
ISBN (Print)	978-3-031-79006-5
DOIs	https://doi.org/10.1007/978-3-031-79007-2_4
Publication status	Published - 28 Jan 2025
MoE publication type	A4 Conference publication
Event	Nordic Conference on Secure IT Systems - Karlstad, Sweden Duration: 6 Nov 2024 → 7 Nov 2024 Conference number: 29

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Publisher	Springer
Volume	15396 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	Nordic Conference on Secure IT Systems
Abbreviated title	NordSec
Country/Territory	Sweden
City	Karlstad
Period	06/11/2024 → 07/11/2024

Keywords

formal modeling
identity misbinding
raw public key
TLS

Access to Document

10.1007/978-3-031-79007-2_4

https://arxiv.org/abs/2411.09770

Cite this

Moustafa, M., Sethi, M., & Aura, T. (2025). Misbinding Raw Public Keys to Identities in TLS. In L. Horn Iwaya, L. Kamm, L. Martucci, & T. Pulls (Eds.), Secure IT Systems - 29th Nordic Conference, NordSec 2024, Proceedings (pp. 62-79). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 15396 LNCS). Springer. https://doi.org/10.1007/978-3-031-79007-2_4

Moustafa, Mariam ; Sethi, Mohit ; Aura, Tuomas. / Misbinding Raw Public Keys to Identities in TLS. Secure IT Systems - 29th Nordic Conference, NordSec 2024, Proceedings. editor / Leonardo Horn Iwaya ; Liina Kamm ; Leonardo Martucci ; Tobias Pulls. Springer, 2025. pp. 62-79 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{ff247799342947e9bd28e451250d10f6,

title = "Misbinding Raw Public Keys to Identities in TLS",

abstract = "The adoption of security protocols such as Transport Layer Security (TLS) has significantly improved the state of traffic encryption and integrity protection on the Internet. Despite rigorous analysis, vulnerabilities continue to emerge, sometimes due to fundamental flaws in the protocol specification. This paper examines the security of TLS when using Raw Public Key (RPK) authentication. This mode has not been as extensively studied as X.509 certificates and Pre-Shared Keys (PSK). We develop a formal model of TLS RPK using applied pi calculus and the ProVerif verification tool, revealing that the RPK mode is susceptible to identity misbinding attacks. Our contributions include formal models of TLS RPK with several mechanisms for binding the endpoint identity to its public key, verification results, practical scenarios demonstrating the misbinding attack, and recommendations for mitigating such vulnerabilities. These findings highlight the need for improved security measures in TLS RPK.",

keywords = "formal modeling, identity misbinding, raw public key, TLS",

author = "Mariam Moustafa and Mohit Sethi and Tuomas Aura",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.; Nordic Conference on Secure IT Systems, NordSec ; Conference date: 06-11-2024 Through 07-11-2024",

year = "2025",

month = jan,

day = "28",

doi = "10.1007/978-3-031-79007-2_4",

language = "English",

isbn = "978-3-031-79006-5",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "62--79",

editor = "{Horn Iwaya}, Leonardo and Liina Kamm and Leonardo Martucci and Tobias Pulls",

booktitle = "Secure IT Systems - 29th Nordic Conference, NordSec 2024, Proceedings",

address = "Germany",

}

Moustafa, M , Sethi, M & Aura, T 2025, Misbinding Raw Public Keys to Identities in TLS. in L Horn Iwaya, L Kamm, L Martucci & T Pulls (eds), Secure IT Systems - 29th Nordic Conference, NordSec 2024, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 15396 LNCS, Springer, pp. 62-79, Nordic Conference on Secure IT Systems, Karlstad, Sweden, 06/11/2024. https://doi.org/10.1007/978-3-031-79007-2_4

Misbinding Raw Public Keys to Identities in TLS. / Moustafa, Mariam ; Sethi, Mohit ; Aura, Tuomas.
Secure IT Systems - 29th Nordic Conference, NordSec 2024, Proceedings. ed. / Leonardo Horn Iwaya; Liina Kamm; Leonardo Martucci; Tobias Pulls. Springer, 2025. p. 62-79 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 15396 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference article in proceedings › Scientific › peer-review

TY - GEN

T1 - Misbinding Raw Public Keys to Identities in TLS

AU - Moustafa, Mariam

AU - Sethi, Mohit

AU - Aura, Tuomas

N1 - Conference code: 29

PY - 2025/1/28

Y1 - 2025/1/28

N2 - The adoption of security protocols such as Transport Layer Security (TLS) has significantly improved the state of traffic encryption and integrity protection on the Internet. Despite rigorous analysis, vulnerabilities continue to emerge, sometimes due to fundamental flaws in the protocol specification. This paper examines the security of TLS when using Raw Public Key (RPK) authentication. This mode has not been as extensively studied as X.509 certificates and Pre-Shared Keys (PSK). We develop a formal model of TLS RPK using applied pi calculus and the ProVerif verification tool, revealing that the RPK mode is susceptible to identity misbinding attacks. Our contributions include formal models of TLS RPK with several mechanisms for binding the endpoint identity to its public key, verification results, practical scenarios demonstrating the misbinding attack, and recommendations for mitigating such vulnerabilities. These findings highlight the need for improved security measures in TLS RPK.

AB - The adoption of security protocols such as Transport Layer Security (TLS) has significantly improved the state of traffic encryption and integrity protection on the Internet. Despite rigorous analysis, vulnerabilities continue to emerge, sometimes due to fundamental flaws in the protocol specification. This paper examines the security of TLS when using Raw Public Key (RPK) authentication. This mode has not been as extensively studied as X.509 certificates and Pre-Shared Keys (PSK). We develop a formal model of TLS RPK using applied pi calculus and the ProVerif verification tool, revealing that the RPK mode is susceptible to identity misbinding attacks. Our contributions include formal models of TLS RPK with several mechanisms for binding the endpoint identity to its public key, verification results, practical scenarios demonstrating the misbinding attack, and recommendations for mitigating such vulnerabilities. These findings highlight the need for improved security measures in TLS RPK.

KW - formal modeling

KW - identity misbinding

KW - raw public key

KW - TLS

UR - http://www.scopus.com/inward/record.url?scp=85218501960&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-79007-2_4

DO - 10.1007/978-3-031-79007-2_4

M3 - Conference article in proceedings

AN - SCOPUS:85218501960

SN - 978-3-031-79006-5

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 62

EP - 79

BT - Secure IT Systems - 29th Nordic Conference, NordSec 2024, Proceedings

A2 - Horn Iwaya, Leonardo

A2 - Kamm, Liina

A2 - Martucci, Leonardo

A2 - Pulls, Tobias

PB - Springer

T2 - Nordic Conference on Secure IT Systems

Y2 - 6 November 2024 through 7 November 2024

ER -

Moustafa M , Sethi M , Aura T. Misbinding Raw Public Keys to Identities in TLS. In Horn Iwaya L, Kamm L, Martucci L, Pulls T, editors, Secure IT Systems - 29th Nordic Conference, NordSec 2024, Proceedings. Springer. 2025. p. 62-79. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-79007-2_4